Application Security Testing Checklist

Six steps you can take to ensure the safety and security of your web applications - and the sensitive data they contain.

Six steps you can take to ensure the safety and security of your web applications - and the sensitive data they contain.

1) Threat Modeling

It takes time and resources to secure an application; and with dozens of pieces of software used by employees at all levels of your organisation, it's essential to ensure that scare security resources are deployed in the most effective way possible.

It's for that reason threat modeling is a crucial first step in application security testing - making it possible to decompose an application, identify threats, rank them in order of severity, and assign resources appropriately.

Learn more: What is Application Threat Modeling?

2) Authentication

Authentication is a crucial first line of defense, ensuring that only recognised users, servers and programs can interact with an application.

User authentication problems are a particularly common cause of data breaches, and it's important for all users to follow strong username and password protocols, and for sensitive applications to require two-factor authentication. All authentication attempts should be logged, and repeatedly failed logins should trigger an account lock-out.

Learn more: How to Improve Organisation-Wide Password Security

3) Access Control

Once a user has been authenticated by an application, it's the software's access control that determines the data they're allowed to see and modify.

Problems with 'elevated rights' can contribute to unintentional data breaches, so it's a good idea to enforce access controls on a 'least privilege model' - with new users afforded only the most basic level of data access by default.

4) Command Injection

Command injection problems occur when malicious code is 'injected' into open parameters in an application. SQL injection uses this mechanism to inject commands directly into an application's database, and cross-site scripting (XSS) uses the same principal to target the end-user, and trick them into taking a malicious action on behalf of the attacker.

Together, SQL injection and XSS are two of the most common application vulnerabilities. To combat them, it's essential to carefully sanitise user input: constraining data input, validating data and rejecting 'know bad' input.

Learn more: 5 Website Security Issues Your Company May Be Ignoring

5) Session Management

Web applications are often vulnerable to session management attacks, where malicious third parties hijack an authorised user's session, and assume their identity and access rights.

To protect against these attacks, cookies need to be sanitised, and devoid of any sensitive information; and session IDs should be unique to each user, and randomly generated after successful authentication.

6) Secure Data Transmission

An essential part of securing an application is the protection of sensitive data, both at rest and in motion. Many organisations overlook the importance of data in motion security, and fail to properly encrypt their information - leaving it vulnerable to interception.

There are two components to securely transmitting data:
Identifying Data to Encrypt

Encryption adds latency to an application, so it needs to be applied only to data that needs securing. To achieve this, it's essential to develop a framework for analysing and prioritising the sensitivity of data.
Properly Implementing Encryption

Encryption is often poorly implemented, so it's essential to check that all sensitive data (including passwords and user IDs) is encrypted, and encryption algorithms are suitably random, strong and secure (and ideally, developed externally).